The Beyond Identity Authenticator can now be configured to allow a user to switch between different machines. This enables Beyond Identity keys to be shared via roaming profiles on an Active Directory Domain.
It’s recommended only for specific use cases. For example, this can be used with non-persistent VDI machines with additional policy controls around them to avoid an end user having to import a passkey each time a VDI machine is started.
To allow a user to share Passkeys across different machines, the system administrator must perform the following steps:
- Set the following value in the Windows Registry of machines in scope for leveraging a shared software passkey:
|Registry Key Value||SHARED_PROFILES|
0 = Disables shared profiles (default)
1 = Enables shared profiles
This will set the Beyond Identity authenticator to store and read passkeys from %appdata%\BeyondIdentity.
- Deploy roaming user profiles.
Configure Credential Roaming for certificates and DPAPI master keys using GPO.
Once configured, the Passkey in the roaming profile is available and viewable in the Authenticator whenever a user logs into a new machine configured to use roaming profiles.